Category: DevSecOps
-
Security as a Development Constraint, Not a Review Gate
A compromised npm maintainer account pushed malicious versions of Axios, one of the most widely used JavaScript libraries, to the registry. The attack, which hit last month, bypassed GitHub Actions entirely. The attacker published directly via the npm CLI with stolen credentials. A hidden dependency deployed a remote access trojan. For three hours, every npm install that…
-
Infrastructure as Code Is Not DevOps
Last month, March 2026, Iranian drone strikes hit AWS data centers in the Gulf. The me-south-1 region went offline, and developers scrambled. On Reddit, the stories split into two camps. One developer lost everything. They had Terraform templates. They had infrastructure defined in code. What they did not have was drift detection, cross-region reproducibility, tested…
-
DevOps Theater: When the Culture Never Actually Changed
A couple of years ago, I was brought in to assess the delivery practices of a mid-size financial services company. They had all the artifacts of a modern engineering organization: a CI/CD pipeline, infrastructure as code templates, a dedicated SRE team, Slack channels named after microservices. The CTO proudly told me they had “completed their…
-
The Hidden Cost of Unpreparedness: Cloud Migration Without a Foundation
Recently I was working with a financial services company on a cloud migration project. The scope was significant: over 180 servers, multiple business-critical applications, and tight regulatory requirements. On paper, it looks like a standard enterprise migration. But there was a problem, one I’ve seen too many times before. The customer hasn’t prepared for what…
